Identify management using ephemeral biometrics

ABSTRACT

An authentication system, device and method that include ephemeral biometrics at login authentication is disclosed. The system, device and method may continue to authenticate the user while accessed to a user system. The system, device and method may also include position/location reporting of the device.

CROSS-REFERENCE TO RELATED PATENT APPLICATIONS

This patent application claims priority from and the benefit of U.S.Provisional Patent Application Ser. No. 61/712,569, filed Oct. 11, 2012,entitled “Auto-Registration of Indoor Positioning Beacons”, which ishereby incorporated by reference.

STATEMENT REGARDING FEDERALLY SPONSORED RESEARCH OR DEVELOPMENT

This invention was developed under Contract DE-AC04-94AL85000 betweenSandia Corporation and the U.S. Department of Energy. The U.S.Government has certain rights in this invention.

FIELD OF THE INVENTION

The application generally relates to identity management using ephemeralbiometrics. The application relates more specifically to a system andmethod for initial identity validation and persistent identityvalidation for accessing critical systems.

BACKGROUND

For critical infrastructure facilities, mitigation techniques forinsider threats are primarily non-technical in nature and rely heavilyon policies/procedures. Traditional access control measures (accesscards, biometrics, PIN numbers, etc.) are built on a philosophy of trustthat enables those with appropriate permissions to access facilitieswithout additional monitoring or restrictions.

Many authentication systems, such as those used in online banking andother web applications, operate on the basis of a virtual ID (e.g.,session cookie), that is created after an initial authentication,typically via user name and a password. The security applicationessentially transforms a computing device into both a device that isassociated with the user, and a location of the user. The session cookieitself becomes the item that is tied to the network source address ofthe computer, which becomes akin to a location. As GPS devices and smartphones continue to become smaller, less expensive and more powerful, thesession cookies may also serve a dual purpose to identify the userlocation. Additionally, after initial access is granted, theauthentication system may prompt the user to periodically re-enteraccess identification, particularly when changing applications, therebydisrupting the user.

Thus, there is a need for an authentication system with reduceddisruption to the user that provides a high assurance of strongauthentication.

Intended advantages of the disclosed systems and/or methods satisfy oneor more of these needs or provide other advantageous features. Otherfeatures and advantages will be made apparent from the presentspecification. The teachings disclosed extend to those embodiments thatfall within the scope of the claims, regardless of whether theyaccomplish one or more of the aforementioned needs.

SUMMARY

The present disclosure is directed to an Ephemeral Biometric (EB) devicedesigned to: 1) register and couple an owner's identity (i.e., biometricimprint) to a wearable portable electronic device using one or more ofthe factors of three factor authentication: a) what you know, b) whatyou are, and c) what you have; 2) while constantly measuring vital signs(i.e., heart rate, blood pressure) to continuously maintain a linkbetween the EB device and the individual. This two-step process providespersistent identity validation with high assurance of strongauthentication while only requiring simple one-time user authenticationinteraction.

One embodiment relates to . . .

Another embodiment relates to . . .

An object of the present invention is to provide an authenticationsystem with reduced disruption to the user that provides a highassurance of strong authentication.

Another object of the present invention is to provide an authenticationsystem with high assurance of strong authentication while only requiringsimple one-time user authentication interaction.

Another object of the present invention is to provide an authenticationsystem to track and monitor users, thereby mitigating insider threats.

An advantage of the present invention is to provide for userauthentication that does not disrupt the user

An advantage of the present invention is biometric data is onlyregistered on the biometric device, eliminating the need for athird-party to store and secure personally identifiable information.

An advantage of the present invention is the use of unique EBidentifiers, which are both revocable and re-issuable, unliketraditional biometrics which are immutable.

An advantage of the present invention is location can be coupled withauthentication, enabling new security protocols.

Alternative exemplary embodiments relate to other features andcombinations of features as may be generally recited in the claims.

BRIEF DESCRIPTION OF THE FIGURES

FIG. 1 illustrates an example of an EB device and an exemplary method ofuse according to an embodiment of the invention.

FIG. 2 illustrates an example scenario demonstrating how the use of EBsfor authentication can address the shortcomings of traditionalbiometrics and provide strong authentication.

DETAILED DESCRIPTION OF THE EXEMPLARY EMBODIMENTS

The present disclosure is directed to an authentication system, deviceand method that includes ephemeral biometrics at login authentication.The present disclosure is also directed to an authentication system,device and method that includes ephemeral biometrics at loginauthentication and that continues to authenticate the user whileaccessed to a user system.

Ephemeral biometrics (EB) are distinctive identifiers derived frommerged traits of human factors (fingerprint, password, etc.) and thepersistent live state of the user. EB are used to strongly couple ahuman to an authentication device. According to an embodiment of theinvention, an EB device is disclosed that generates a uniquehuman-to-machine identifier while simultaneously monitoring the livestate of the user. The EB device enables an identity as long as thehuman and hardware remain coupled. The unique human-to-machineidentifier, connected with the user's live-state, maintains a link thatvalidates identity and facilitates secure interactions with externaldevices. In an embodiment, the EB device may be integrated with ahigh-precision, real-time locating system (RTLS), so that the secure,active identity may be location monitored. In another embodiment, the EDdevice may be integrated with an indoor positioning system, such asdisclosed in U.S. Patent Application entitled “INDOOR POSITIONING SYSTEMWITH AUTO-REGISTRATION”, concurrently filed with this application by theinventors of this invention, the disclosure of which is incorporated inits entirety by reference. The EB device enables the transitional linkbetween the computing device location to the user location and thecomputing device location.

FIG. 1 illustrates an example of an EB device 10 according to anembodiment of the invention. The EB device 10 is in the form of a wristwatch that has been modified to include a first module to accept a localbiometric login, in this example, a fingerprint, and a second module tomonitor a live biometric parameter of a user 20, in his case, heartrate, and a third module to communicate an authentication to anelectronic device 30. In another embodiment, the EB device may be amedallion, ring, necklace, anklet, or other device capable of monitoringa human condition, such as, but not limited to heart rate, bodytemperature, skin surface conductance, muscular potential, respirationrate, blood flow, or blood composition. In another embodiment, the localbiometric login may be a fingerprint, retina scan, iris recognition,face recognition, palm print, hand geometry, blood vessel mapping, DNA,voice patterns/recognition, or hand writing.

Referring again to FIG. 1, the EB device 10 operates by accepting thelocal biometric login, validating that a user 20 is present bymonitoring heart rate, and communicating with the electronic device 30,in this case a smart phone, into which a login identification, in thiscase a PIN, has been accepted. If all of these conditions are met andvalidated, the user 20 has access to the electronic device 30. Inanother embodiment, the electronic device 30 may be a computer, tablet,workstation, kiosk, network-enabled devices, or any device or systemrequiring limited access. The EB device 10 communicates with theelectronic device 30 by a data link 35. The data link 35 may be NFC,Bluetooth, IrDA, ZigBee, WiFI, or any other wireless data transferprotocol.

In an embodiment, an EB device and identity verification procedurediscussed above may be configured for use with preconfigured locationboundaries as determined by a position/location system, for example, anindoor positioning system as described above. In an embodiment,authentication may be prohibited if, e.g., wireless devices are locatedoutside a secured area or a classified room. Authentication bound bylocation context can provide additional security against remotecyber-hackers even in the case of compromised cyber-identity.

In an embodiment, an EB device may be a wearable medical sensor that cantake accurate measurements while minimizing inconvenience andintrusiveness. An EB device may include some or all of these constraintsthat are typically levied on wearable medical sensor design:

-   -   take live-state measurements on a continuous bases;    -   measurements must be taken imperceptibly to wearer;    -   wearable electronic device must be a small enough form factor        that it does not hinder the wearers sense of fashion aesthetics;    -   electronic device must have long lasting batteries; and    -   must function accurately and reliably accommodating dynamics of        motion/signal noise artifacts such as sweat, operating in the        rain, etc.

In an embodiment, the EB may not take highly accurate or precisebiometric measurements provided that the device is configured to keepcontinuous track of some vital sign measurement associated with theuser. For example, the EB device does not have to detect how manyheartbeats a person has per minute, but merely that the person is aliveand that the EB device has not been tampered with. One exemplary EBdevice may be a wristwatch with fingerprint biometrics that willelectronically lock in the wristband locked state when fingerprintbiometrics is registered. As long as the wristband size is small enoughto be used as handcuff, the EB functionality is satisfied. One risk ofsuch a device is that if a malicious actor decides to steal theidentity, he or she may sever the hand of the authorized user in orderto use the locked-in state of the EB watch. To avoid this gruesomepossibility, some physiological parameters representing vital signs areimportant to incorporate into the EB device.

Table 1 provides exemplary modalities and the pros and cons of usingsuch measurements for EB development. As far as reasonably acceptablefashion for wearable EB, two factors seem to satisfy the fashionconstraints: a wristband versus necklace format. Rings may also be usedfor EB device but may be less suitable as hands often are submerged inwater, they are not an ideal format for carrying extra weight due tobatteries and most importantly, it is difficult to measure physiologicalparameters in the finger. While people are used to wearing electronicdevices on their wrist, necklaces have not typically been used beyondjewelry and it is hard to envision a world where people are comfortablewearing an electronic device around their neck. With these facts inmind, the wristband format is the clear winner due to fashion esthetics,portability (battery, size), and the availability of COTS fitnessproducts.

TABLE 1 Non- contact/ Continuous Fashion Sensor Modalities Descriptionimperceptible Measurement Portable Robust Esthetics Electromyograph Usessurface electrodes to detect No Yes Yes No N/A (EMG) muscle actionpotentials Feedback Detects skin temperature with a No No Yes No N/Athermometer temperature-sensitive resistor that is usually attached toafinger or toe. Eletrodermograph Measures skin electrical activity (EDG)directly and indirectly using electrodes No Yes Yes No N/A placed overthe hand and wrist. Electroence- Measures the electrical activationphalograph (EEG) of the brain from scalp sites located No Yes Yes No N/Aover the human cortex. Photople- Measures relative blood flow Yes YesYes Yes Yes thysmograph through a digit or the temple. An (PPG) infraredlight source is transmitted through or reflected off the tissue,detected by a phototransistor, and quantified inarbitrary units.Electrocardiograph Electrodes are placed on the torso, (ECG) wrists, orlegs, to measure the electrical No Yes Yes No N/A activity of the heartand measure the heart rate. Pneumograph A respiratory strain gauge usesa flexible sensor band that is placed around the chest and/or abdomen,No Yes Yes Yes N/A measuring relative expansion/ contraction of thechest. Capnometer Measure end-tidal CO2 (the partial No Yes No Yes N/Apressure of carbon dioxide in expired air at the end of expiration)exhaled through the nostril into a latex tube. Rheoencephalo- Electrodesare attached to the skin at No Yes Yes No N/A graph (REG) certain pointson the head and permit the device to continuously measure the electricalconductivity of the tissues of structures located between theelectrodes. Hemoence- A functional infrared imaging technique Yes YesYes Yes No phalography that measures the differences in the (HEG) colorof light reflected back through the scalp based on the relative amountof oxygenated and unoxygenated blood in the brain. Magnetic field Anon-invasive, magnetic sensor-based Yes Yes Yes N/A blood flowacquisition of blood pulse using the interaction disturbance created byblood flowing through a localizedmagnetic field.

In an embodiment, an EB device may be linked to external applications,such as, but not limited to real time locating systems, access controlpoints, and networks. These external applications may allow for thecreation of novel access control techniques that eliminate previouslyidentified deficiencies such as excessive end-user interaction. Inanother embodiment, the EB device may securely authenticate a user tomultiple external machines or services, e.g., tablet, access point,Kerberos server, etc. The EB device may also facilitate the creation ofunique authentication protocols to provide persistent identityverification.

The EB device provides highly secure coupling between human and machineas it is specifically designed to: 1) register and couple an ownersidentity to a wearable portable electronic device using one or more ofthe factors of three factor authentication; 2) while constantlymeasuring vital signs, i.e., heart rate, blood pressure, to maintain alink between the EB device and the individual. This two-step processprovides persistent identity tracking and validation with high assuranceof strong authentication, while it provides simple one-time userauthentication interaction. The process by which an EB identity isestablished is the following:

-   -   1) The EB device (a wristband) will have a unique        semiconductor/microchip identity    -   2) The EB device is registered with the biometric imprint from        the owner    -   3) The biometrically registered individual authenticates to EB        device (one-to-one match) and simultaneously the EB device will        lock-in the live-state or the vital signs of the wearer    -   4) The identity coupling of the EB device with the wearer of the        EB device is established. This EB of the human human-to-machine        identity last for the duration the EB device is coupled with the        user.

Using an EB device, authentication can be offloaded from a complexoperating system to the simplified external EB device with a securemachine to machine coupling process. In cybersecurity, complexity is oneof the biggest reasons for security vulnerabilities found in mostcomputing systems. Standard operating systems (including those on smartphones) contain a minimum of ten million lines of codes. For everythousand lines, there are typically between five to fifteen errors whichcan lead to security vulnerabilities, presenting a daunting challenge tobuilding secure operating systems. By offloading the authentication toan external EB device, security concerns arising from operating systemcomplexity can be addressed. The coupling process of a biometricallylinked, live-state checking EB device to an external machine(s) (i.e.,computers, tablets, smart phones, access control mechanism) is describedbelow:

-   -   1) The EB device will have a unique semiconductor/microchip        identity    -   2) The EB device is registered with the biometric imprint from        the owner    -   3) The external machine will have an EB agent application        installed    -   4) The EB application will be activated with the initialization        process using any form factor authentication.    -   5) The EB agent and device are coupled using a one-time user        supplied input (e.g., via pin number), a nonce, and a common        encryption key. The EB device functions as both the biometric        verification/authentication agent and the electronic key fob for        the external device.    -   6) The EB device generates another nonce, hashes it using a        message digest function with the concatenation of the EB device        identity and the user identity. The hashed data is then        encrypted and sent to the external device.    -   7) The external device decrypts the message from the EB device,        verifies the nonce, the EB device, and the user identity (by        comparing the hash), and executes critical transactions

FIG. 2 is an example scenario demonstrating how the use of EBs forauthentication can address the shortcomings of traditional biometricsand provide strong authentication. The owner of the EB uses afingerprint to register his/her identity with the EB device. Using nearfield communication (NFC), the EB device will function as a key tosecurely activate the owners smart phone, without the need for explicituser interaction. Since the biometric data is only registered on the EBdevice, this eliminates the need for a third-party institution to storeand secure personal information. If the EB device is stolen or lost, theowner can simply disable the EB coupling to the device, buy another EBdevice, and use a fingerprint (it could be previously used fingerprint)to register the new device. As can be seen from FIG. 2, the coupling ofEB with the idea of a 4th factor authentication can lead to persistentauthentication services. The 4th factor authentication being location or“where are you.” By creating an active authentication service, itcreates the possibility of tracking insiders and minimizes remotethreats that now need to have a local presence. This type ofauthentication can be useful in a variety of domains including healthand safety, finance, cyber/physical security, and material protection,control, and accounting.

Through the use of user location as a 4th factor of authentication andcreating unique machine-to-human identity through EB, an activeauthentication solution is disclosed. The survey of physiologicaltechniques that can be used to continuously validate the live-state andthe potential commercial biofeedback products that can be modified forEB device is studied. By combining physical presence and persistentidentity verification, the risk of remote cyber threat is addressed aswell as possibilities of actively monitoring the insider behaviors.

It should be understood that the application is not limited to thedetails or methodology set forth in the following description orillustrated in the figures. It should also be understood that thephraseology and terminology employed herein is for the purpose ofdescription only and should not be regarded as limiting.

While the exemplary embodiments illustrated in the figures and describedherein are presently preferred, it should be understood that theseembodiments are offered by way of example only. Accordingly, the presentapplication is not limited to a particular embodiment, but extends tovarious modifications that nevertheless fall within the scope of theappended claims. The order or sequence of any processes or method stepsmay be varied or re-sequenced according to alternative embodiments.

The present application contemplates methods, systems and programproducts on any machine-readable media for accomplishing its operations.The embodiments of the present application may be implemented using anexisting computer processors, or by a special purpose computer processorfor an appropriate system, incorporated for this or another purpose orby a hardwired system.

It is important to note that the construction and arrangement of theauthentication system, device and method as shown in the variousexemplary embodiments is illustrative only. Although only a fewembodiments have been described in detail in this disclosure, those whoreview this disclosure will readily appreciate that many modificationsare possible (e.g., variations in sizes, dimensions, structures, shapesand proportions of the various elements, values of parameters, mountingarrangements, use of materials, colors, orientations, etc.) withoutmaterially departing from the novel teachings and advantages of thesubject matter recited in the claims. For example, elements shown asintegrally formed may be constructed of multiple parts or elements, theposition of elements may be reversed or otherwise varied, and the natureor number of discrete elements or positions may be altered or varied.Accordingly, all such modifications are intended to be included withinthe scope of the present application. The order or sequence of anyprocess or method steps may be varied or re-sequenced according toalternative embodiments. In the claims, any means-plus-function clauseis intended to cover the structures described herein as performing therecited function and not only structural equivalents but also equivalentstructures. Other substitutions, modifications, changes and omissionsmay be made in the design, operating conditions and arrangement of theexemplary embodiments without departing from the scope of the presentapplication.

As noted above, embodiments within the scope of the present applicationinclude program products comprising machine-readable media for carryingor having machine-executable instructions or data structures storedthereon. Such machine-readable media can be any available media that canbe accessed by a general purpose or special purpose computer or othermachine with a processor. By way of example, such machine-readable mediacan comprise RAM, ROM, EPROM, EEPROM, CD-ROM or other optical diskstorage, magnetic disk storage or other magnetic storage devices, or anyother medium which can be used to carry or store desired program code inthe form of machine-executable instructions or data structures and whichcan be accessed by a general purpose or special purpose computer orother machine with a processor. When information is transferred orprovided over a network or another communications connection (eitherhardwired, wireless, or a combination of hardwired or wireless) to amachine, the machine properly views the connection as a machine-readablemedium. Thus, any such connection is properly termed a machine-readablemedium. Combinations of the above are also included within the scope ofmachine-readable media. Machine-executable instructions comprise, forexample, instructions and data which cause a general purpose computer,special purpose computer, or special purpose processing machines toperform a certain function or group of functions.

It should be noted that although the figures herein may show a specificorder of method steps, it is understood that the order of these stepsmay differ from what is depicted. Also two or more steps may beperformed concurrently or with partial concurrence. Such variation willdepend on the software and hardware systems chosen and on designerchoice. It is understood that all such variations are within the scopeof the application. Likewise, software implementations could beaccomplished with standard programming techniques with rule based logicand other logic to accomplish the various connection steps, processingsteps, comparison steps and decision steps.

What is claimed is:
 1. A method for authenticating a user's identity todetermine access to a system, comprising: inputting a first login intoan ephemeral biometric device comprising a medical sensor; persistentlymonitoring a live user biometric with the ephemeral biometric device andusing the persistently monitored user biometric to persistentlyauthorize the ephemeral biometric device without determining that theuser biometric is unique to the user and that the user is unique;communicating the authorization via a short distance wirelesscommunication circuitry to an interface device; inputting a second loginto the interface device to access the system; and persistentlycommunicating an authentication signal between the biometric device andthe interface device by persistently generating a nonce at the ephemeralbiometric device while persistently validating the nonce at theinterface device to validate that data transmitted between the biometricdevice and the interface device is authentic, which then allows theinterface device to persistently authenticate and access to the system.2. The method of claim 1, wherein the first login comprises afingerprint.
 3. The method of claim 1, wherein the first login comprisesa personal identification number.
 4. The method of claim 1, wherein theinterface device is selected from a group consisting of a smartphone,computer, tablet, workstation, kiosk, or any other network-enableddevice.
 5. An ephemeral biometric device for authenticating the identityof a user to determine access to a system, comprising: a medical sensorcomprising a biometric interface for accepting a biometric login fromthe user; a monitoring device for persistently monitoring at least onelive biometric parameter of the user and using the at least onepersistently monitored user biometric to persistently authorize use ofthe ephemeral biometric device without determining the user biometric isunique to the user and that the user is unique; and a short distancewireless communication circuitry for persistently communicating anauthentication signal to an interface device having persistentauthentication and access to the system over a login session; whereinthe ephemeral biometric device has an ephemeral biometric identity; theuser has a user identity; and wherein the persistently communicatedauthentication signal comprises a nonce generated by the ephemeralbiometric device, the ephemeral biometric identity, and the useridentity.
 6. The device of claim 5, wherein the biometric login is afingerprint.
 7. The device of claim 5, further comprising: a fourthmodule for determining the location of the biometric device.
 8. Thedevice of claim 7, wherein the fourth module includes global positioningsystem connectivity.
 9. The device of claim 7, wherein the fourth moduleincludes indoor positioning system connectivity.